Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
6b2417eeac6a435ce8ef52ec4b98082b.exe
-
Size
292KB
-
Sample
221104-x5hapsacd7
-
MD5
6b2417eeac6a435ce8ef52ec4b98082b
-
SHA1
46a459c36a345038af6cf8ebf2d9bfa4db1a8df0
-
SHA256
9804e56a73b0af43b7b519da92467c63365bf8cdd27090e2b0641616b9992632
-
SHA512
46a395a047075979cc36b3415750c9a837a3975d8b2ddaa86c0c870687e93427a91fcb9192f0caec06bf6724ee060a940272bb0dae185bf920f1fa6ab9616cb4
-
SSDEEP
3072:31S1BIEjT02LyIk3u5rAy3zzStYfMoNwIYt2Y03P5emgbvQih/98KD:ABI92Le3q3itYfLJ9Y03P5emgT7/L
Static task
static1
Behavioral task
behavioral1
Sample
6b2417eeac6a435ce8ef52ec4b98082b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6b2417eeac6a435ce8ef52ec4b98082b.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
remcos
v381
srv01.airdns.org:32841
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
winupd381.exe
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
winupd_v381-K1NSYR
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
winupdc_sc
-
screenshot_time
1
-
startup_value
winupd381
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
remcos
New
173.212.217.108:1050
zab4ever.no-ip.org:1050
1zab4ever.no-ip.org:1050
1zab4ever.duckdns.org:1050
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
BrowseUpdt.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
nobita.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
khruioprs-T021C4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
BrowseUpdt
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
6b2417eeac6a435ce8ef52ec4b98082b.exe
-
Size
292KB
-
MD5
6b2417eeac6a435ce8ef52ec4b98082b
-
SHA1
46a459c36a345038af6cf8ebf2d9bfa4db1a8df0
-
SHA256
9804e56a73b0af43b7b519da92467c63365bf8cdd27090e2b0641616b9992632
-
SHA512
46a395a047075979cc36b3415750c9a837a3975d8b2ddaa86c0c870687e93427a91fcb9192f0caec06bf6724ee060a940272bb0dae185bf920f1fa6ab9616cb4
-
SSDEEP
3072:31S1BIEjT02LyIk3u5rAy3zzStYfMoNwIYt2Y03P5emgbvQih/98KD:ABI92Le3q3itYfLJ9Y03P5emgT7/L
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-